Technical Tip: FortiGate in FIPS-CC mode cannot import certificate if root/intermediate CA certificates are missing

When FIPS-CC mode is enabled, FortiOS does not allow administrators to import an end-entity certificate if the Root and Intermediate certificates (if any) used to sign the certificate are missing on the FortiGate.

This is a known restriction imposed as part of NDcPP v2.2e (FIA_X509_EXT.3.2) requirements while in FIPS-CC mode, whereas non-FIPS-enabled FortiGates do not have this restriction.

For example, consider the following example:

• An administrator creates a Certificate Signing Request (CSR) on the FortiGate, exports it, and provides the CSR to a private Certificate Authority (CA) server.
• The private CA signs the CSR and provides a certificate file. The administrator takes this file and attempts to import it onto the FortiGate.

If the administrator attempts to do this in the Web GUI, an error message will be received stating 'CRL/certificate file doesn't have matched CA imported'.

To resolve this, the full certificate chain must be imported to the FortiGate. This includes the Root CA certificate as well as any Intermediate CA certificates used to sign the FortiGate certificate. To do this:

1. In the Web GUI, navigate to System -> Certificates.
   If the section is not present on the FortiGate, then go to System -> Feature Visibility and toggle on Additional Features -> Certificates.
2. Select Create/Import, then select CA Certificate.
3. Change the Type to File (if uploading a CA certificate file from the local computer), then use the Upload option to locate the CA certificate file on the local computer.

Once the CA certificates have been imported, the end-entity certificate for the FortiGate will be able to be imported (Create/Import -> Certificate).

While this scenario generally occurs with private Certificate Authorities (i.e., owned/operated within a private business), it can still occur with well-known public Certificate Authorities on occasion (i.e., the FortiGuard Certificate Bundle provided to the FortiGate could be missing the root/intermediate CA certificates required).

In those cases, CA certificate files can frequently be retrieved directly from the Certificate Authority over the Internet.

Note: The behavior described above is also true for self-signed end-entity certificates. For example, it is not possible to create a self-signed certificate and then import it as a remote certificate on the FortiGate, as the same error mentioned above will occur.

This can be relevant for situations like the following, where a certificate needs to be created for the remote SAML IdP and also uploaded as a remote certificate to the FortiGate: Technical Tip: Unable to import remote certificate to FIPS-CC enabled FortiGate for SAML authentication using Azure as IdP. In cases like these, ensure that the end-entity certificate is created and signed by a root/intermediate certificate authority, rather than being self-signed.

The PKCS#12 format certificate is not supported in FortiGate in FIPS-CC mode. The user can manually separate this type of certificate into a private-key file and a certificate file, then import it to FortiGate. 

Related resources:

• DigiCert Trusted Root Authority Certificates
• GoDaddy Certificate Repository

Related articles:

• Technical Tip: FortiOS FIPS Resource List
• Technical Tip: Unable to import remote certificate to FIPS-CC enabled FortiGate for SAML authentication using Azure as IdP